Wire in WebhookTokenAutenticator support

Signed-off-by: Simo Sorce <[email protected]>
openshift · Mar 6, 2018 · 5986897 · 5986897
1 parent 3addbb0
commit 5986897
Show file tree

Hide file tree

Showing 7 changed files with 74 additions and 1 deletion.
diff --git a/pkg/cmd/server/apis/config/helpers.go b/pkg/cmd/server/apis/config/helpers.go
@@ -215,6 +215,12 @@ func GetMasterFileReferences(config *MasterConfig) []*string {
 		}
 	}
 
+	if len(config.WebhookTokenAuthenticators) > 0 {
+		for _, wta := range config.WebhookTokenAuthenticators {
+			refs = append(refs, &wta.WebhookTokenAuthnConfigFile)
+		}
+	}
+
 	for k := range config.AdmissionConfig.PluginConfig {
 		refs = append(refs, &config.AdmissionConfig.PluginConfig[k].Location)
 	}

diff --git a/pkg/cmd/server/apis/config/types.go b/pkg/cmd/server/apis/config/types.go
@@ -399,6 +399,9 @@ type MasterConfig struct {
 	EtcdConfig *EtcdConfig
 	// OAuthConfig, if present start the /oauth endpoint in this process
 	OAuthConfig *OAuthConfig
+	// WebhookTokenAuthnConfig, if present configures remote token reviewers
+	WebhookTokenAuthenticators []WebhookTokenAuthenticator
+
 	// DNSConfig, if present start the DNS server in this process
 	DNSConfig *DNSConfig
 
@@ -828,6 +831,15 @@ type DNSConfig struct {
 	AllowRecursiveQueries bool
 }
 
+type WebhookTokenAuthenticator struct {
+	// WebhookTokenAuthnConfigFile is a path to a Kubeconfig file with the webhook configuration
+	WebhookTokenAuthnConfigFile string
+	// WebhookTokenAuthnCacheTTL indicates how long an authentication result should be cached.
+	// It takes a valid time duration string (e.g. "5m").
+	// If empty, you get the default timeout. If zero (e.g. "0m"), caching is disabled
+	WebhookTokenAuthnCacheTTL string
+}
+
 type OAuthConfig struct {
 	// MasterCA is the CA for verifying the TLS connection back to the MasterURL.
 	// "" to use system roots, set to use custom roots, never nil (guaranteed by conversion defaults)

diff --git a/pkg/cmd/server/apis/config/v1/types.go b/pkg/cmd/server/apis/config/v1/types.go
@@ -247,6 +247,9 @@ type MasterConfig struct {
 	EtcdConfig *EtcdConfig `json:"etcdConfig"`
 	// OAuthConfig, if present start the /oauth endpoint in this process
 	OAuthConfig *OAuthConfig `json:"oauthConfig"`
+	// WebhookTokenAuthnConfig, if present configures remote token reviewers
+	WebhookTokenAuthenticators []WebhookTokenAuthenticator `json:"webhookTokenAuthenticators"`
+
 	// DNSConfig, if present start the DNS server in this process
 	DNSConfig *DNSConfig `json:"dnsConfig"`
 
@@ -711,6 +714,17 @@ type DNSConfig struct {
 	AllowRecursiveQueries bool `json:"allowRecursiveQueries"`
 }
 
+// WebhookTokenAuthenticators holds the necessary configuation options for
+// external token authenticators
+type WebhookTokenAuthenticator struct {
+	// WebhookTokenAuthnConfigFile is a path to a Kubeconfig file with the webhook configuration
+	WebhookTokenAuthnConfigFile string `json:"webhookTokenAuthnConfigFile"`
+	// WebhookTokenAuthnCacheTTL indicates how long an authentication result should be cached.
+	// It takes a valid time duration string (e.g. "5m").
+	// If empty, you get the default timeout. If zero (e.g. "0m"), caching is disabled
+	WebhookTokenAuthnCacheTTL string `json:"webhookTokenAuthnCacheTTL"`
+}
+
 // OAuthConfig holds the necessary configuration options for OAuth authentication
 type OAuthConfig struct {
 	// MasterCA is the CA for verifying the TLS connection back to the MasterURL.

diff --git a/pkg/cmd/server/apis/config/validation/master.go b/pkg/cmd/server/apis/config/validation/master.go
@@ -144,6 +144,12 @@ func ValidateMasterConfig(config *configapi.MasterConfig, fldPath *field.Path) V
 		validationResults.Append(ValidateOAuthConfig(config.OAuthConfig, fldPath.Child("oauthConfig")))
 	}
 
+	if len(config.WebhookTokenAuthenticators) > 0 {
+		for _, wta := range config.WebhookTokenAuthenticators {
+			validationResults.Append(ValidateWebhookTokenAuthenticator(wta, fldPath.Child("webhookTokenAuthenticators")))
+		}
+	}
+
 	validationResults.Append(ValidateServiceAccountConfig(config.ServiceAccountConfig, builtInKubernetes, fldPath.Child("serviceAccountConfig")))
 
 	validationResults.Append(ValidateHTTPServingInfo(config.ServingInfo, fldPath.Child("servingInfo")))

diff --git a/pkg/cmd/server/apis/config/validation/validation.go b/pkg/cmd/server/apis/config/validation/validation.go
@@ -10,6 +10,7 @@ import (
 	"os"
 	"strconv"
 	"strings"
+	"time"
 	"unicode"
 	"unicode/utf8"
 
@@ -406,3 +407,24 @@ func ValidateExtendedArguments(config config.ExtendedArguments, flagFunc func(*p
 
 	return allErrs
 }
+
+func ValidateWebhookTokenAuthenticator(config config.WebhookTokenAuthenticator, fldPath *field.Path) ValidationResults {
+	validationResults := ValidationResults{}
+	webhookTokenAuthnConfigFile := fldPath.Child("webhookTokenAuthnConfigFile")
+	if len(config.WebhookTokenAuthnConfigFile) == 0 {
+		validationResults.AddErrors(field.Required(webhookTokenAuthnConfigFile, ""))
+	} else {
+		validationResults.AddErrors(ValidateFile(config.WebhookTokenAuthnConfigFile, webhookTokenAuthnConfigFile)...)
+	}
+
+	webhookTokenAuthnCacheTTL := fldPath.Child("webhookTokenAuthnCacheTTL")
+	if len(config.WebhookTokenAuthnCacheTTL) == 0 {
+		validationResults.AddErrors(field.Required(webhookTokenAuthnCacheTTL, ""))
+	} else if ttl, err := time.ParseDuration(config.WebhookTokenAuthnCacheTTL); err != nil {
+		validationResults.AddErrors(field.Invalid(webhookTokenAuthnCacheTTL, config.WebhookTokenAuthnCacheTTL, fmt.Sprintf("%v", err)))
+	} else if ttl < 0 {
+		validationResults.AddErrors(field.Invalid(webhookTokenAuthnCacheTTL, config.WebhookTokenAuthnCacheTTL, "cannot be less than zero"))
+	}
+
+	return validationResults
+}
diff --git a/pkg/cmd/server/kubernetes/master/master_config.go b/pkg/cmd/server/kubernetes/master/master_config.go
@@ -588,7 +588,7 @@ func BuildKubernetesMasterConfig(
 
 func defaultOpenAPIConfig(config configapi.MasterConfig) *openapicommon.Config {
 	securityDefinitions := spec.SecurityDefinitions{}
-	if len(config.ServiceAccountConfig.PublicKeyFiles) > 0 {
+	if len(config.ServiceAccountConfig.PublicKeyFiles) > 0 || len(config.WebhookTokenAuthenticators) > 0 {
 		securityDefinitions["BearerToken"] = &spec.SecurityScheme{
 			SecuritySchemeProps: spec.SecuritySchemeProps{
 				Type:        "apiKey",

diff --git a/pkg/cmd/server/origin/authenticator.go b/pkg/cmd/server/origin/authenticator.go
@@ -16,6 +16,7 @@ import (
 	tokencache "k8s.io/apiserver/pkg/authentication/token/cache"
 	tokenunion "k8s.io/apiserver/pkg/authentication/token/union"
 	genericapiserver "k8s.io/apiserver/pkg/server"
+	webhooktoken "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
 	kclientsetexternal "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/util/cert"
@@ -108,6 +109,18 @@ func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclie
 			group.NewTokenGroupAdder(oauthTokenAuthenticator, []string{bootstrappolicy.AuthenticatedOAuthGroup}))
 	}
 
+	for _, wta := range config.WebhookTokenAuthenticators {
+		ttl, err := time.ParseDuration(wta.WebhookTokenAuthnCacheTTL)
+		if err != nil {
+			return nil, nil, fmt.Errorf("Error converting WebhookTokenAuthnCacheTTL='%s' to duration", wta.WebhookTokenAuthnCacheTTL)
+		}
+		webhookTokenAuthenticator, err := webhooktoken.New(wta.WebhookTokenAuthnConfigFile, ttl)
+		if err != nil {
+			return nil, nil, fmt.Errorf("Failed to create authenticator for WebhookTokenAuthnConfigFile='%s'", wta.WebhookTokenAuthnConfigFile)
+		}
+		tokenAuthenticators = append(tokenAuthenticators, webhookTokenAuthenticator)
+	}
+
 	if len(tokenAuthenticators) > 0 {
 		// Combine all token authenticators
 		tokenAuth := tokenunion.New(tokenAuthenticators...)